undefined | Better HN

0 pointshuhtenberg8y ago0 comments

There's NO value in 3rd party vouching for the security (read, quality) of some specific version of the software, because this opinion will be rendered null and void with the next software update.

There is some value in 3rd party verifying the system design (the architecture, the protocol, etc.) and general engineering practices in the company, but this still hinges on the need to trust this company not to be (or being coerced to be) malicious. TunnelBear hasn't established the latter, so - yes, there's little to no value in former. There is some marketing value in it though.

PS. Zimmerman's original secure VoIP project was rooted in the idea of reproducible builds. It was open source, but with a license that prohibited any use except for verifying binary builds. It was 20 (?) years ago.

0 comments

2 comments · 2 top-level

michaelmior8y ago

"NO value" is a huge stretch IMO. Sure, it's entirely possible for gaping security holes to be introduced in future releases, but if past versions have been consistently vouched for as secure, that's still going to increase my confidence in future versions being secure. Or if I'm paranoid, then where possible I can just stick to a specific version which has been vouched for as secure.

lfam8y ago

Regarding Zimmerman's VoIP, Tarsnap does the same thing. The client source is available but you aren't allowed to use it for anything except building the client for the Tarsnap service.

j / k navigate · click thread line to collapse